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Appendix listing of additional Click modules ("elements") . 
ADAPTI VESHAPER ( n ) ADAPTI VESHAPER ( n ) 



NAME 

AdaptiveShaper - Click element 
SYNOPSIS 

AdaptiveShaper (DROP_P, REPRESS_WEIGHT) 

PROCESSING TYPE 
Push 

DESCRIPTION 

AdaptiveShaper is a push element that shapes input traffic 
from input port 0 to output port 0. Packets are shaped 
based on "repressive" traffic from input port 1 to output 
port 1 . Each repressive packet increases a multiplicative 
Q factor f by REPRESS_WEIGHT . Each input packet is killed 

instead of pushed out with f * DROP_P probability. After 
each dropped packet, f is decremented by 1. 



ru 



fcfl 



EXAMPLES 

ELEMENT HANDLERS 
'f^ drop_prob (read/write) 

value of DROP P 



repress_weight (read/write) 
value of REPRESS WEIGHT 



SEE ALSO 

PacketShaper (n) , RatioShaper (n) 
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ADAPTIVESPLITTER (n) ADAPTIVESPLITTER (n) 



NAME 

AdaptiveSplitter - Click element 

SYNOPSIS 

AdaptiveSplitter (RATE) 

PROCESSING TYPE 
Push 

DESCRIPTION 

AdaptiveSplitter attempts to split RATE number of packets 
per second for each address. It takes the fwd_rate annota- 
tion set by IPRateMonitor (n) , and calculates a split prob- 
ability based on that rate. The split probability attempts 
Q to guarantee RATE number of packets per second. That is, 

y3 the lower the fwd_rate, the higher the split probability. 

y3 

iy Splitted packets are on output port 1. Other packets are 

Lsa on output port 0 . 



5 



EXAMPLES 

AdaptiveSplitter (10) ; 



£0 SEE ALSO 

H IPRateMonitor (n) 
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ADDRFILTER (n) 



ADDRFILTER (n) 



NAME 



AddrFilter - Click element 



SYNOPSIS 



AddrFilter (DST/SRC, N) 

PROCESSING TYPE 
Push 

DESCRIPTION 

Filters out IP addresses given in write handler. DST/SRC 
specifies which IP address (dst or src) to filter. N is 
the maximum number of IP addresses to filter at any time. 
Packets passed the filter goes to output 0. Packets 
rejected by the filter goes to output 1. 



AddrFilter looks at addresses in the IP header of the 
packet, not the annotation. It requires an IP header anno- 
tation ( MarklPHeader (n) ) . 



EXAMPLES 

AddrFilter (DST, 8) 
Filters by dst IP address, up to 8 addresses. 



ELEMENT HANDLERS 

table ((read)) 

Dumps the list of addresses to filter and 



add ( (write) ) 

Expects a string "addr mask duration", where addr is 
an IP address, mask is a netmask, and duration is the 
number of seconds to filter packets from this IP 
address. If 0 is given as a duration, filtering is 
removed. For example, "18.26.4.6 255.255.255.0 10" 
would filter out all packets with dst or source 
address 18.26.4.* for 10 seconds. New addresses push 
out old addresses if more than N number of filters 
already exist. 



reset ( (write) ) 

Resets on write. 



SEE ALSO 



Classifier (n) , MarklPHeader (n) 
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ATTACKLOG (n) 



ATTACKLOG (n) 



NAME 



AttackLog - Click element; maintains a log of attack pack- 
ets in SAVE_FILE. 

SYNOPSIS 

AttackLog (SAVE_FILE, INDEX_FILE, MULTIPLIER, PERIOD) 

PROCESSING TYPE 
Agnostic 

DESCRIPTION 

Maintains a log of attack packets in SAVE_FILE. Expects 
packets with ethernet headers, but with the first byte of 
the ethernet header replaced by an attack bitmap, set in 
kernel. AttackLog classifies each packet by the type of 
attack, and maintains an attack rate for each type of 
attack. The attack rate is the arrival rate of attack 
packets multiplied by MULTIPLIER. 

AttackLog writes a block of data into SAVE_FILE once every 
PERIOD number of seconds. Each block is composed of 
entries of the following format: 



Entries with the same attack type are written out 
together. A delimiter of OxFFFFFFFF is written to the end 
of each block. 

A circular timed index file is kept in INDEX_FILE along 
side the attacklog. See Circularlndex (n) . 



delimiter (Os) 
time 

attack type 
attack rate 

ip header and payload (padded) 



86 bytes 



4 bytes 
4 bytes 



2 bytes 
4 bytes 



100 bytes 



SEE ALSO 



Circularlndex (n) 
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CIRCULARINDEX (n ) CIRCULARINDEX ( n) 



NAME 

Circularlndex - Click element; writes a timed circular 
index into a file. 

SYNOPSIS 

Circularlndex 

DESCRIPTION 

Circularlndex writes an entry into a circular index file 
periodically. The entry contains a 32 bit time stamp and a 
64 bit offset into another file. The following functions 
are exported by Circularlndex. 

int initialize (String FILE, unsigned PERIOD, unsigned 
WRAP) - Use FILE as the name of the circular file. Writes 
entry into circular file once every PERIOD number of sec- 
onds. WRAP is the number of writes before wrap around. If 
WRAP is 0, the file is never wrapped around. 

void write_entry (long long offset) - Write entry into 
index file. Use offset as the offset in the entry. 



SEE ALSO 

GatherRates (n) , MonitorSRC16 (n) 
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n 



DISCARDTODEVICE (n) DISCARDTODEVICE (n) 



NAME 

DiscardToDevice - Click element; drops all packets, gives 
skbs to device. 

SYNOPSIS 

DiscardToDevice (DEVICE) 

PROCESSING TYPE 
Agnostic 

DESCRIPTION 

Discards all packets received on its .single input. Gives 
all' skbuffs to specified device. 
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FILTERTCP (n) 



FILTERTCP (n) 



NAME 

FilterTCP - Click element 

SYNOPSIS 

FilterTCP () 

PROCESSING TYPE 
Push 

DESCRIPTION 

Expects TCP/IP packets as input. 
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FROMTUNNEL (n) 



FROMTUNNEL (n) 



NAME 

FromTunnel - Click element 

SYNOPSIS 

FromTunnel (TUNNEL, SIZE, BURST) 

PROCESSING TYPE 
Push 

DESCRIPTION 

Grab packets from kernel KUTunnel element. TUNNEL is a 
/proc file in the handler directory of the KUTunnel ele- 
ment. SIZE specifies size of the buffer to use (if packet 
in kernel has larger size, it is dropped) . BURST specifies 
the maximum number of packets to push each time FromTunnel 
runs . 



EXAMPLES 

FromTunnel ( /proc/click/tunnel/conf ig) 
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GATHERRATES (n) 



GATHERRATES (n) 



NAME 



GatherRates - Click element 



SYNOPSIS 

GatherRates (SAVE_FILE, INDEX_FILE, TCPMONITOR_IN, TCPMONI- 
TOR_OUT, MONITOR_PERIOD, SAVE_PERIOD) ; 

PROCESSING TYPE 
Agnostic 

DESCRIPTION 

Gathers aggregate traffic rates from TCPMonitor (n) element 
at TCPMONITOR IN and TCPMONITOR OUT. 



tfl 



Aggregate rates are gathered once every MONITOR_PERIOD 
number of seconds. They are averaged and saved to 
SAVE__FILE once every SAVE_PERIOD number of seconds. The 
following entry is written to SAVE_FILE for both incoming 
and outgoing traffic: 



delimiter (0s) 


4 


bytes 


time 


4 


bytes 


type (0 for incoming traffic, 1 for outgoing traffic) 


4 


bytes 


packet rate of tcp traffic 


4 


bytes 


byte rate of tcp traffic 


4 


bytes 


rate of fragmented tcp packets 


4 


bytes 


rate of tcp syn packets 


4 


bytes 


rate of tcp fin packets 


4 


bytes 


rate of tcp ack packets 


4 


bytes 


rate of tcp rst packets 


4 


bytes 


rate of tcp psh packets 


4 


bytes 


rate of tcp urg packets 


4 


bytes 


packet rate of non-tcp traffic 


4 


bytes 


byte rate of non-tcp traffic 


4 


bytes 


rate of fragmented non-tcp traffic 


4 


bytes 


rate of udp packets 


4 


bytes 


rate of icmp packets 


4 


bytes 


rate of all other packets 


4 


bytes 




72 


bytes 



After the two entries, an additional delimiter of 
OxFFFFFFFF is written. SAVE_PERIOD must be a multiple of 
MONITOR_PERIOD. 

A circular timed index is kept along side the stats file. 
See Circularlndex (n) . 



SEE ALSO 

TCPMonitor (n) Circularlndex (n) 
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ICMPPINGENCAP (n) ICMPPINGENCAP (n) 



NAME 

ICMPPINGEncap - Click element 
SYNOPSIS 

ICMPPINGEncap {SADDR, DADDR [, CHECKSUM?]) 
DESCRIPTION 

Encapsulates each incoming packet in a ICMP ECHO/IP packet 
with source address SADDR and destination address DADDR. 
The ICMP and IP checksums are calculated if CHECKSUM? is 
true; it is true by default. 



EXAMPLES 

ICMPPINGEncap (1.0.0.1, 2.0.0.2) 
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KUTUNNEL (n) KUTUNNEL (n) 



NAME 

KUTunnel - Click element; stores packets in a FIFO queue 
that userlevel Click elements pull from. 

SYNOPSIS 

KUTunnel ( [CAPACITY] ) 

PROCESSING TYPE 
Push 

DESCRIPTION 

Stores incoming packets in a first-in-first-out queue. 
Drops incoming packets if the queue already holds CAPACITY 
packets. The default for CAPACITY is 1000. Allows user- 
level elements to pull from queue via ioctl. 



£} ELEMENT HANDLERS 

yg length (read-only) 

yj Returns the current number of packets in the queue. 



highwater_length (read-only) 

Returns the maximum number of packets that have ever 
been in the queue at once. 



capacity (read/write) 

Returns or sets the queue's capacity. 



drops (read-only) 

Returns the number of packets dropped so far. 



SEE ALSO 

Queue (n) 
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LOGGER (n) 



NAME 

Logger - Click element 
SYNOPSIS 

Logger (LOGFILE, INDEXFILE [, LOCKFILE, COMPRESS?, LOGSIZE, 
PACKETSIZE, WRITEPERIOD, IDXCOALESC, PACKET FREQ, MAXBUF- 
SIZE ] ) 

PROCESSING TYPE 
Agnostic 

DESCRIPTION 

Has one input and one output. 

Write packets to log file LOGFILE. A log file is a circu- 
lar buffer containing packet records of the following 
form: 



I time (6 bytes) | 
I length (2 bytes) | 
I packet data | 



Time is the number of seconds and milliseconds since the 
Epoch at which a given packet was seen. Length is the 
length (in bytes) of the subsequent logged packet data. 
One or more packet records constitute one packet sequence. 

INDEXFILE maintains control data for LOGFILE. It contains 
a sequence of sequence control blocks of the following 
form: 



I date (4 bytes) | 
I offset (sizeof off_t) I 
I length (sizeof off_t) | 



Date is a number of seconds since the Epoch. Offset 
points to the beginning of the packet sequence, i.e. to 
the earliest packet record having a time no earlier than 
date. Length is the number of bytes in the packet 
sequence. IDXCOALESC is the number of coalescing packets 
that a control block always cover. Default is 1024. 

Sequence control blocks are always stored in increasing 
chronological order; offsets need not be in increasing 
order, since LOGFILE is a circular buffer. 

COMPRESS? (true, false) determines whether packet data is 
logged in compressed form. Default is true. 
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LOGSIZE specifies the maximum allowable log file size, in 
KB. Default is 2GB. LOGSIZE=0 means "grow as necessary". 

PACKETSIZE is the amount of packet data stored in the log. 
By default, the first 120 (128-6-2) bytes are logged and 
the remainder is discarded. Note that PACKETSIZE is the 
amount of data logged before compression. 

Packet records are buffered in memory and periodically 
written to LOGFILE as a packet sequence. WRITEPERIOD is 
the number of seconds that should elapse between writes to 
LOGFILE. Default is 60. INDEXFILE is updated every time a 
sequence of buffered packet records is written to LOGFILE. 
The date in the sequence control block is the time of the 
first packet record of the sequence, with milliseconds 
omitted. 

PACKETFREQ is an estimate of the number of packets per 
second that will be passing through Logger. Combined with 
WRITEPERIOD, this is a hint of buffer memory requirements. 
By default, PACKETFREQ is 1000. Since by default WRITEPE- 
RIOD is 60 and each packet record is at most 128 bytes, 
Logger normally allocates 7500KB of memory for the buffer. 
Logger will grow the memory buffer as needed up to a maxi- 
mum of MAXBUFSIZE KB, at which point the buffered packet 
records are written to disk even if WRITEPERIOD seconds 
have not elapsed since the last write. Default MAXBUFSIZE 
is 65536 (64MB) . 
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MONITORSRC16(n) 



MONITORSRC1 6 (n) 



NAME 



MonitorSRC16 - Click element 



SYNOPSIS 

MonitorSRC16 (SAVE_FILE, 
WRAP) 



INDEX FILE, MULTIPLIER, PERIOD, 



y * 



PROCESSING TYPE 
Agnostic 

DESCRIPTION 

Examines src address of packets passing by. Collects 
statistics for each 16 bit IP address prefix. The follow- 
ing data structure is written to SAVE_FILE for every 16 
bit IP address prefix every PERIOD number of seconds. 

delimiter (0s) (4 bytes) 

time (4 bytes) 

addr (4 bytes) 

tcp rate (4 bytes) 

non tcp rate (4 bytes) 

percent of tcp (1 byte) 

percent of tcp frag (1 byte) 

percent of tcp syn (1 byte) 

percent of tcp fin (1 byte) 

percent of tcp ack (1 byte) 

percent of tcp rst (1 byte) 

percent of tcp psh (1 byte) 

percent of tcp urg (1 byte) 

percent of non tcp frag (1 byte) 

percent of udp (1 byte) 

percent of icmp (1 byte) 

reserved (1 byte) 



32 bytes 

TCP and non TCP rates are multiplied by MULTIPLIER. An 
additional delimiter of OxFFFFFFFF is written at the end 
of a block of entries. 

WARP specifies the number of writes before wrap-around. 
For example, if PERIOD is 60, WARP is 5, then every 5 min- 
utes, the stats file wrap around. 



A timed circular index is maintained along side the 
statistics file in INDEX FILE. See Circularlndex (n) . 



SEE ALSO 

Circularlndex (n) 
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RANDOMTCPIPENCAP (n) 



NAME 

RandomTCPIPEncap - Click element 
SYNOPSIS 

RandomTCPIPEncap (DA BITS [DP SEQN ACKN CHECKSUM SA MASK]) 

PROCESSING TYPE 
Agnostic 

DESCRIPTION 

Encapsulates each incoming packet in a 'TCP/IP packet with 
random source address and source port, destination address 
DA, and control bits BITS. If BITS is -1, control bits 
are also generated randomly. If destination port DP, 
sequence number SEQN, or ack number ACKN is specified and 
non-zero, it is used. Otherwise, it is generated randomly 
for each packet. IP and TCP checksums are calculated if 
CHECKSUM is true; it is true by default. SEQN and ACKN 
should be in host order. SA and MASK are optional IP 
address; if they are specified, the source address is com- 
puted as ((random!) & MASK) | SA) . 



EXAMPLES 

RandomTCPIPEncap (1.0.0.2 4) 



SEE ALSO 

RoundRobinTCPIPEncap(n) , RandomUDPIPEncap (n) 
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RANDOMUDPIPENCAP (n) RANDOMUDPI PENCAP (n) 



NAME 

RandomUDPIPEncap - Click element 
SYNOPSIS 

RandomUDPIPEncap (SADDR SPORT DADDR DPORT PROB [CHECKSUM?] 
[, ...]) 

PROCESSING TYPE 
Agnostic 

DESCRIPTION 

Encapsulates each incoming packet in a UDP/IP packet with 
source address SADDR, source port SPORT, destination 
address DADDR, and destination port DPORT. The UDP check- 
sum is calculated if CHECKSUM? is true; it is true by 
default . 

PROB gives the relative chance of this argument be used 
over others . 



^ The RandomUDPIPEncap element adds both a UDP header and an 

jM IP header. 

s You can a maximum of 16 arguments. Each argument specifies 

Q a single UDP/IP header. The element will randomly pick one 

fg argument. The relative probabilities are determined by 

PROB . 



The Strip (n) element can be used by the receiver to get 
rid of the encapsulation header. 

EXAMPLES 

RandomUDPIPEncap (1.0.0.1 1234 2.0.0.2 1234 1 1, 

1.0.0.2 1093 2.0.0.2 1234 2 1) 

r 

Will send about twi ce as much UDP/IP packets with 1.0.0.2 
as its source address than packets with 1.0.0.1 as its 
source address. 



SEE ALSO 

Strip (n) , UDPIPEncap (n) , RoundRobinUDPIPEncap ( n) 
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RATE WARN ( n ) RATEWARN ( n ) 



NAME 

RateWarn - Click element; classifies traffic and sends out 
warnings when rate of traffic exceeds specified rate. 

SYNOPSIS 

Ra t eWarn ( RATE , WARNFREQ ) 

PROCESSING TYPE 
Push 

DESCRIPTION 

RateWarn has three output ports. It monitors the rate of 
packet arrival on input port 0. Packets are forwarded to 
output port 0 if rate is below RATE. If rate exceeds 
RATE, it sends out a warning packet WARNFREQ number of 
seconds apart on output port 2 in addition to forwarding 
all traffic through output port 1. 



SEE ALSO 

PacketMeter (n) 
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RATIOSHAPER (n ) 



NAME 

RatioShaper - Click element 
SYNOPSIS 

RatioShaper (FWD_WEIGHT, REV_WEIGHT, THRESH, P) 

PROCESSING TYPE 
Push 

DESCRIPTION 

RatioShaper shapes packets based on fwd_rate_anno and 
rev_rate_anno rate annotations set by IPRateMonitor (n) . 
If either annotation is greater than THRESH, and 
FWD_WEIGHT*fwd_rate_anno > REV_WEIGHT*rev_rate_anno, the 
packet is moved onto output port 1 with a probability of 

min(l, P* (fwd_rate_anno*FWD_WEIGHT) / ( rev_rate_anno*REV_WEIGHT ) ) 

FWD_WEIGHT, REV_WEIGHT, and THRESH are integers. P is a 
decimal between 0 and 1. Otherwise, packet is forwarded on 
output port 0 . 



EXAMPLES 

RatioShaper (1, 2, 100, .2); 

if fwd_rate_anno more than twice as big as rev_rate_anno, 
and both rates are above 100, drop packets with an initial 
probability of 20 percent. 



ELEMENT HANDLERS 

f wd_weight ( read/write ) 
value of FWD WEIGHT 



rev_weight ( read/write ) 
value of REV WEIGHT 



thresh (read/write) 
value of THRESH 



drop_prob (read/write) 
value of P 



SEE ALSO 

Block (n) , IPRateMonitor (n) 
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REPORT ACTIVITY (n) REPORTACTIVITY (n) 



NAME 

ReportActivity - Click element 

SYNOPSIS 

ReportActivity (SAVE_FILE, IDLE) 

PROCESSING TYPE 
Agnostic 



DESCRIPTION 

Write into SAVE_FILE a 32 bit time value followed by an 
ASCII representation of that time stamp whenever a packet 
comes by. If IDLE number of seconds pass by w/o a packet, 
removes the file. 



*5 



n 
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ROUNDROBINSETIPADDRESS (n) ROUNDROBINSETIPADDRESS (n) 



NAME 

RoundRobinSetlPAddress - Click element 
SYNOPSIS 

RoundRobinSetlPAddress (ADDR [, . . . ] ) 

PROCESSING TYPE 
Agnostic 

DESCRIPTION 

Set the destination IP address annotation of each packet 
with an address chosen from the configuration string in 
round robin fashion. Does not compute checksum (use 
^ SetlPChecksum(n) or SetUDPTCPChecksum (n) ) or encapsulate 

^ the packet with headers (use RoundRobinUDPIPEncap (n) or 

RoundRobinTCPIPEncap (n) with bogus address). 

I . 1 

H> EXAMPLES 

fU RoundRobinUDPIPEncap (2. 0.0. 2 0.0.0.0 0 0 0) 

yp -> RoundRobinSetlPAddress (1.0.0.2, 1.0.0.3, 1.0.0.4) 

^a, -> StorelPAddress (12) 

„ -> SetlPChecksum 

-> SetUDPTCPChecksum 



5 J 



this configuration segment places an UDP header onto each 
packet, with randomly generated source and destination 
ports. The destination IP address is 2.0.0.2, the source 
IP address is 1.0.0.2, or 1.0.0.3, or 1.0.0.4. Both IP and 
UDP checksum are computed. 



SEE ALSO 

RoundRobinUDPIPEncap (n) , RoundRobinTCPIPEncap (n) , UDPIPEn- 
cap(n) , SetlPChecksum(n) , SetUDPTCPChecksum(n) , SetlPAd- 
dress (n) , StorelPAddress (n) 
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ROUNDROBINTCPIPENCAP (n) ROUNDROBINTCPIPENCAP (n) 

NAME 

RoundRobinTCPIPEncap - Click element 
SYNOPSIS 

RoundRobinTCPIPEncap (SA DA BITS [SP DP SEQN ACKN CHECKSUM] 
[, ..-]) 

PROCESSING TYPE 
Agnostic 

DESCRIPTION 

Encapsulates each incoming packet in a TCP/IP packet with 
source address SA, source port SP (if 0, a random one is 
generated for each packet), destination address DA, and 
destination port DP (if 0, a random one is generated for 
each packet), and control bits BITS. If SEQN and ACKN 
specified are non-zero, they are used. Otherwise, they 
^9 are randomly generated for each packet. IP and TCP check- 

LU sums are calculated if CHECKSUM is true; it is true by 

IM* default. SEQN and ACKN should be in host order. 

ru 

yg The RoundRobinTCPIPEncap element adds both a TCP header 

^ and an IP header. 

You can give as many arguments as you'd like. Each argu- 
ment specifies a single TCP/IP header. The element will 
y- J cycle through the headers in round-robin order. 

01 The Strip (n) element can be used by the receiver to get 

Q rid of the encapsulation header. 

EXAMPLES 

RoundRobinTCPIPEncap (2.0.0.2 1.0.0.2 4 1022 1234 42387492 2394839 1, 

2.0.0.2 1.0.0.2 2) 



SEE ALSO 

Strip (n) , RoundRobinUDPIPEncap (n) 
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ROUNDROBINUDPIPENCAP (n) ROUNDROBINUDPIPENCAP (n) 



NAME 

RoundRobinUDPIPEncap - Click element 
SYNOPSIS 

RoundRobinUDPIPEncap {SADDR DADDR [SPORT DPORT CHECKSUM?] 
[, -..]) 

PROCESSING TYPE 
Agnostic 

DESCRIPTION 

Encapsulates each incoming packet in a UDP/IP packet with 
source address SADDR, source port SPORT, destination 
P address DADDR, and destination port DPORT. The UDP and IP 

/g checksums are calculated if CHECKSUM? is true; it is true 

m *n by default. If either DPORT or SPORT is 0, the port will 

be randomly generated for each packet. 



hi 



The RoundRobinUDPIPEncap element adds both a UDP header 
and an IP header. 

You can give as many arguments as you f d like. Each argu- 
ment specifies a single UDP/IP header. The element will 
cycle through the headers in round-robin order. 

The Strip (n) element can be used by the receiver to get 
rid of the encapsulation header. 

EXAMPLES 

RoundRobinUDPIPEncap (2. 0.0. 2 1.0.0.2 1234 1002 1, 

2.0.0.2 1.0.0.2 1234) 



SEE ALSO 

Strip (n) , UDPIPEncap (n) 
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SETSNIFFFLAGS (n) 



SETSNIFFFLAGS (n) 



Ul 



: ; : 

u 
O 



NAME 



SetSniff Flags 
tion. 



Click element; sets sniff flags annota- 



SYNOPSIS 

SetSniff Flags (FLAGS [, CLEAR] ) 

PROCESSING TYPE 
Agnostic 



P 



DESCRIPTION 

Set the sniff flags annotation of incoming packets to 

FLAGS bitwise or with the old flags, if CLEAR is true 

(false by default), the old flags are ignored. 
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SETUDPTCPCHECKSUM(n) SETUDPTCPCHECKSUM (n) 



NAME 

SetUDPTCPChecksum - Click element 

SYNOPSIS 

SetUDPTCPChecksum ( ) 

PROCESSING TYPE 
Agnostic 

DESCRIPTION 

Expects an IP packet as input. Calculates the ICMP, UDP or 
TCP header 1 s checksum and sets the checksum header field. 
Does not modify packet if it is not an ICMP, UDP, or TCP 
packet . 

o 

ifl SEE ALSO 

13=7 

hj SetlPChecksum(n) 

m 

5 : 
=33 

a 

Q 

GO 

m 
a 
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STORESNIFFFLAGS (n) 



NAME 

StoreSniff Flags - Click element; stores sniff flags anno- 
tation in packet 

SYNOPSIS 

StoreSniff Flags (OFFSET) 

PROCESSING TYPE 
Agnostic 

DESCRIPTION 

Copy the sniff flags annotation into the packet at offset 
OFFSET. 



APPENDIX B 

STORESNIFFFLAGS (n) 



y 

M 

S j 
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TCPMONITOR(n) 



TCPMONITOR(n) 



U 



NAME 

TCPMonitor - Click element 

SYNOPSIS 

TCPMonitor () 

PROCESSING TYPE 
Push 

DESCRIPTION 

Monitors and splits TCP traffic. Output 0 are TCP traffic, 
output 1 are non-TCP traffic. Keeps rates of TCP, TCP 
BYTE, SYN, ACK, PUSH, RST, FIN, URG, and fragmented pack- 
ets. Also keeps rates of ICMP, UDP, non-TCP BYTE, and non- 
TCP fragmented traffic. 



J* ELEMENT HANDLERS 

rates (read) 
H* dumps rates 
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TCPSYNPROXY (n) 



TCPSYNPROXY (n) 



NAME 

TCPSYNProxy - Click element 
SYNOPSIS 

TCPSYNProxy (MAX_CONNS, THRESHOLD, MINJTIMEOUT, MAX_TIMEOUT 
[, PASSIVE] ) 

PROCESSING TYPE 
Push 

DESCRIPTION 

Help settup a three way TCP handshake from A to B by" sup- 
plying the last ACK packet to the SYN ACK B sent prema- 
turely, and send RST packets to B later if no ACK was 
received from A. 

Expects IP encapsulated TCP packets, each with its ip 
header marked ( MarklPHeader (n) or ChecklPHeader (n ) ) . 

Aside from responding to SYN ACK packets from B, TCPSYN- 
Proxy also examines SYN packets from A. When a SYN packet 
from A is received, if there are more than MAX_CONNS num- 
ber of outstanding 3 way connections per destination 
(daddr + dport) , reject the SYN packet. If MAX_CONNS is 0, 
no maximum is set. 

The duration from sending an ACK packet to B to sending a 
RST packet to B decreases exponentially as the number of 
outstanding connections to B increases pass 2 A THRESHOLD . 
The minimum timeout is MIN_TIMEOUT. If the number of out- 
standing half-open connections is above 2 ^THRESHOLD, the 
timeout is 

max (MIN_TIMEOUT, MAX_TIMEOUT » (N » THRESHOLD)) 

Where N is the number of outstanding half-open connec- 
tions. For example, let the MINJTIMEOUT value be 4 sec- 
onds, the MAX_TIMEOUT value be 90 seconds, and THRESHOLD 
be 3. Then when N < 8, timeout is 90. When N < 16, timeout 
is 45. When N < 24, timeout is 22 seconds. When N < 32, 
timeout is 11 seconds. When N < 64, timeout is 4 seconds. 
Timeout period does not decrement if the threshold is 0. 

TCPSYNProxy has two inputs, three outputs. All inputs and 
outputs take in and spew out packets with IP header. 
Input 0 expects TCP packets from A to B. Input 1 expects 
TCP packets from B to A. Output 0 spews out packets from A 
to B. Output 1 spews out packets from B to A. Output 2 
spews out the ACK and RST packets generated by the ele- 
ment . 

If PASSIVE is true (it is not by default), monitor TCP 
three-way handshake instead of actively setting it up. In 
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this case, no ACK or RST packets will be sent. When an 
outstanding SYN times out, the SYN ACK packet is sent out 
of output port 2. No packets on port 0 are modified or 
dropped in this operating mode. 



EXAMPLES 

... -> ChecklPHeader () -> TCPSYNProxy (128, 3, 10, 90) -> ... 



ELEMENT HANDLERS 

summary (read) 

Returns number of ACK and RST packets sent and number 
of SYN packets rejected. 



LU table (read) 

M- Dumps the table of half-opened connections. 
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reset (write) 

Resets on write. 



IM SEE ALSO 

MarklPHeader (n) , ChecklPHeader (n) 
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TCPSYNRESP(n) 



NAME 

TCPSYNResp - Click element 

SYNOPSIS 

TCPSYNResp () 

PROCESSING TYPE 
Push 

DESCRIPTION 

Takes in TCP packet, if it is a SYN packet, return a SYN 
ACK. This is solely for debugging and performance tunning 
purposes. No checksum is done. Spews out original packet 
on output 0 untouched. Spews out new packet on output 1. 
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